[SS-2018-020] Ensure that table names are escaped to prevent possible SQL injection

This commit is contained in:
Robbie Averill 2018-11-07 12:12:44 +02:00 committed by Aaron Carlino
parent 466e7cf142
commit 74698af402

View File

@ -8,6 +8,7 @@ use LogicException;
use SilverStripe\Core\ClassInfo;
use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Convert;
use SilverStripe\Core\Injector\Injectable;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\Dev\TestOnly;
@ -127,7 +128,7 @@ class DataObjectSchema
$tables = $this->getTableNames();
$class = ClassInfo::class_name($class);
if (isset($tables[$class])) {
return $tables[$class];
return Convert::raw2sql($tables[$class]);
}
return null;
}